Using the team create tab, we are able to inject html into studio.
Does the script tag work?
If so then xss ouch.
Except it’s not really cross site…
Unless a more important panel suffers from the same problem…
1 Like
I’ve only been able to pass html.
I don’t believe there is any danger since its just injecting html into the popup, I don’t see any issues it could cause.
I’m guessing that the dialog is being rendered with Qt’s rich text rendering, which is extremely limited in functionality (though you could still do some nefarious stuff with image tags in combination with other vulnerabilities/exploits).
Reference: http://doc.qt.io/archives/qt-4.8/richtext-html-subset.html
2 Likes